Network Security Tutorial-14 Design Fundamentals IPSEC, KERBEROS ET-IDA-082 Tutorial-14 IPSEC, KERBEROS 15.06.2018, v4 Prof. W. Adi
IPSec problem : Users A and B are using a simplified IPSEC IKE system in aggressive mode according to Fig. 1. Assuming that : A=1, B=0, CP=5, IC= 0, RC=1, a= 21, b= 17, RA= 4, RB= 7 (| stands for concatenation) Design a Diffie-Hellmann key exchange system over GF(25) using p(x) = x5 + x4 + x3 + x + 1 as a field modulus assuming that the secret keys for users A and B are a=21, b=17 respectively. Compute a primitive element g and the common key gab as a binary vector in GF(25). Compute the common session key as K = h(IC|RC|(gab mod p(x))|RA|RB) Assuming the hash function h is defined as the least significant digit of x2 mod 97 that is: h(x) = (x2 mod 97 ) mod 10 (see also all parameters on Fig 1.) (show all necessary computations) 3. Compute SKEYID. SKEYID = h(RA| RB|(gab mod p(x))) . (Show all necessary computations in your solution!) 4. Compute the signature of B assuming the proof to be a secret key signature by double hashing as follows: proofB = h [ h(SKEYID |gab |IC|RC|CP|“Bob”) |KBob] , where KBob =9 is a secret signing key of Bob appended to the hash value.
IKE Phase 1: Public Key Signature (Aggressive Mode) User A Alice User B Bob IC, “Alice”, ga mod p, RA, CP IC,RC, “Bob”, RB, gb mod p, CS, proofB IC,RC, proofA Session key= K DHGF= Diffie-Hellman Key exchange over GF(25) p(x) = x5 + x4 + x3 + x + 1 as field modulus, Xa=21, Xb=17 CP = 5=crypto proposed CS = crypto selected = 1 IC = initiator “cookie” = 0 RC = responder “cookie”= 1 Alice = 1 , RA= 4, Bob = 0 , RB= 7 K = h(IC|RC|gab mod p(x)|RA|RB) Assume h(X) = X2 mod 97 mod 10 SKEYID = h(RA| RB|gab mod p(x)) proofA = h [ h(SKEYID |gab|IC|RC|CP|“Alice”) |KAlice] proofB = h [ h(SKEYID |gab|IC|RC|CP|“Bob”) |KBob] Fig. 1
p(x) = x5 + x4 + x3 + x + 1 = 0 => x5 = x4 + x3 + x + 1 IPSec problem solution: DH setup: User A: a= 21 , b = g21 =( x21) = = x16 . x5 = (x4 + x3 )(x4 + x3 + x + 1) = 1 + x4 = 10001 Public directory User B: Xb= 17 , Yb = g17 =( x17) = x16. x = x5 + x4 = x3 + x + 1 = 01011 p(x) = x5 + x4 + x3 + x + 1 in GF(25) g=x : primitive element Ya = 10001 Yb = 01011 25-1=31 is a prime number, all non-zero and not 1 elements have order 31, element 1 has order =1, => x is a primitive element p(x) = x5 + x4 + x3 + x + 1 = 0 => x5 = x4 + x3 + x + 1 x1 = x x2 = x2 x3 = x3 x4 = x4 x5 = x4 + x3 + x + 1 x6 = x5 + x4 + x2 + x = x4 + x3 + x + 1 + x4 + x2 + x = x3 + x2 + 1 x7 = x4 + x3 + x x8 = x5 + x4 + x2 = x4 + x3 + x + 1 + x4 + x2 = x3 + x2 + x + 1 = 01111 X16 =( x8)2 = x6 + x4 + x2 + 1 = x3 + x2 + 1 + x4 + x2 + 1 = x4 + x3 = 11000 = (24) 10 gab = ( (x21 )17) mod 31 = x357 mod 31 = x16 = x4 + x3 = 11000 = (24) 10
SKEYID = h(RA, RB, gab mod p(x)) = ((4 7 24)2 mod 97) mod 10= 5 Session Key computation: K = h(IC|RC|(gab mod p(x))|RA|RB) = ((012447)2 mod 97 )mod 10=8 Where h(X) = (X2 mod 97) mod 10 3. SKEYID computation: SKEYID = h(RA, RB, gab mod p(x)) = ((4 7 24)2 mod 97) mod 10= 5 4. Computing proofB: proofB = h [ h(SKEYID |gab|IC|RC|CP|“Bob”) |KBob] proofB= h[((5 24 0 1 5 0)2 mod 97) mod10] = h[2 |KBob] = ((2 9)2 mod 97) mod10 = 5
IKE Phase 1: Public Key Signature (Aggressive Mode) User A Alice User B Bob 0, 1, x21 mod p(x), 4, 5 0,1, 0, 7, x17 mod p(x), 1, 5 IC,RC, proofA CP = 5=crypto proposed CS = crypto selected = 1 IC = initiator “cookie” = 0 RC = responder “cookie”= 1 Alice = 1 , RA= 4, Bob = 0 , RB= 7 DHGF= Diffie-Hellman Key exchange over GF(25) p(x) = x5 + x4 + x3 + x + 1 as field modulus, Xa=21, Xb=17 Fig. 2
KERBEROS problem : A KERBEROS system is set up as shown in Fig. 3 The used hash function is : h(x) = x3 mod 41 The adopted encryption function is: Y = E(X,K) = X · K mod 53 Notice: split your encrypted blocks when necessary such that the system becomes operational!! Compute KA and TGT. Compute the number of possible key choices for KKDC. Compute the KDC response Res Decrypt Res on Alice side Compute Alice’s REQUEST Compute KB and KDC REPLY to Alice including the ticket to Bob Compute AuthenticatorA to Bob and decrypt ticket to Bob on Bob’s side Compute ResB on B side and verify it at A side How secure is the proposed system? Is it possible for KDC to encrypt TGT such that TGT becomes perfectly secure (impossible to break)? Why? If possible, how to do that by using the above adopted encryption function? MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen?
Step 1: Kerberized Login (Ticket Granting Ticket : TGT ) Alice wants a TGT Alice’s Password Alice’s Secret key KA = h(PasswordA) Res = E(SA|TGT, KA) Alice Computer KDC h(x) = x3 mod 41 TGT = E(“Alice”|SA, KKDC) KDC proposed session key SA= 8 PasswordA = 7, PasswordB= 9 KKDC= 22 Alice = 1, Bob= 2 (TGT= Ticket Granting Ticket), E(X,Y,Z, K) means data XYZ are encrypted using the key K Encryption function E: Y = E(X,K) = X · K mod 53 MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen? Fig. 3
Step 2: Alice Requests Ticket to Bob I want to talk to Bob Talk to Bob REQUEST Alice REPLY Computer KDC REQUEST = (TGT, authenticator), where authenticator = E(timestamp, SA) REPLY = E(“Bob”|KAB| ticket to Bob, SA) ticket to Bob = E(“Alice”|KAB, KB) generated by KDC Step 3: Alice sends Ticket to Bob, establish link Timestamp = 9, proposed KAB= 6 ticket to Bob = E(“Alice”|KAB, KB), authenticatorA = E(timestamp, KAB) ResB = E(timestamp + 1,KAB) Bob (Knows KB) Secured link: (KAB = 6) Alice’s Computer Fig. 4
2. Number of possible key choices for KKDC. KA = h(7) = 73 mod 41 = 343 mod 41= 15 TGT = E(“Alice” | SA, KKDC) = E( 1 | 8 , 22) = (18 * 22) mod 53 = 396 mod 53 = 25 2. Number of possible key choices for KKDC. # possible keys for KDC = φ(53) = 52 3.Res = E(SA|TGT, KA) = E(8|25, 15) = E(8,15) | E(25,15) = 8x15 mod 53 | 25x15 mod 5 = 120 mod 53 | 375 mod 53 = 14 | 4 4. Decryption of Res on Alice side Res = 14 | 4 Decryption of Res = D( Res , KA-1 ) = D( 14 | 4 , KA-1 ) = (14 x 46 mod 53 | 4 x 46 mod 53) = 8 | 25 = SA | TGT KA-1 mod 53 = 15-1 mod 53 = -7 mod 53 = -7 + 53 = 46
5. Computing Alice’s REQUEST REQUEST = (TGT, authenticator) authenticator = E (timestamp, SA ) = E(9, 8) = 9 x 8 mod 53 = 72 mod 53 = 19 REQUEST = (TGT, authenticator) = (25 , 19) 6. Computing KB and KDC REPLY to Alice including the ticket to Bob KB = h(PasswordB) = h(93) mod 41 = 729 mod 41 = 32 Ticket to Bob = E(“Alice”|KAB, KB) generated by KDC = E(1|6 , 32) = 16 . 32 mod 53 = 512 mod 53 = 35 REPLY = E(“Bob”|KAB| ticket to Bob, SA) = E( 2 | 6 | 35 , 8 ) = E( 26 , 8 )| E( 35 , 8 ) = 26 . 8 mod 53 | 35 . 8 mod 53 = 208 mod 53 | 280 mod 53 = 49 | 15
7. In Fig. 3 Compute AuthenticatorA to Bob and decrypt ticket to Bob on Bob’s side AuthenticatorA = E(timestamp, KAB) = E(9,6) = 9 . 6 mod 53 = 54 mod 53 = 1 KB-1 mod 53 = 5 Ticket to bob = 35 Decrypt on Bob‘s side = D(Ticket to bob , KB-1) = D(35,5) = 35 x 5 mod 53 = 175 mod 53 = 16 = 1|6 = „Alice“ | KAB
8. In Fig. 3 compute ResB on B side and Verify it at A side ResB = E(timesatamp+1, KAB) = E(9+1, 6) = 10 .6 mod 53 = 60 mod53 = 7 KAB-1 mod 53 = 9 D(ResB , KAB-1 ) = E(ResB,KAB-1) = E(7,9) = 7 . 9 mod 53 = 63 mod 53 = 10 = timestamp +1
Basically not secure as knowing one clear-text/cipher-text pair would allow computing the secret key K. As follows: K = X-1 . Y mod 53. As 53 is a prime , any non-zero X is invertible modulo 53. The hash function using x3 mod 41 could be invertible if the cube root in GF(41) is computable. However, if the key K is not repeatedly used, then the cipher is equivalent to Vernam cipher over the multiplicative group of GF(53), as 53 is a prime and hence the cipher usage becomes unconditionally secure. 10. Yes, if the KDC do not repeat using the same encryption key KkDC for creating TGT. As 53 is a prime and the system is operating in the multiplicative group of GF(53). Therefore KDC would be using a Vernam-cipher-equivalent scheme. This makes TGT unconditionally secure. KDC should not repeat the usage of any key !!
Alice wants Alice Fig. 5 Fig. 6 a TGT = 25 KDC Computer Alice’s Password Alice wants Alice’s Secret key KA = 15 a TGT = 25 Res = 14 | 4 KDC Computer Fig. 5 Alice Talk to Bob I want to talk to Bob REQUEST = (25,19) REPLY=49 |15 KDC Computer ticket to Bob = 35, authenticatorA = 1 ResB = 7 Alice’s Computer Bob (Knows KB) KAB = 6 Fig. 6